Business Continuity Plan Audit Question Checklist

No. Control Objective 1 Procedure Procedure Result Have procedures been documented for disaster control and recovery? Do these procedures protect against fire and other hazards for the data center, data files, and programs? Does the management has formally approved the BCP documentation? Does adequate review is done to ensure the plan is current? 2 Scope and Evaluate the scope of each Plan and the assumptions assumption of BCP that were used to develop each Plan. The assumptions represent the base conditions that must exist in order for the Plans to work. Typical assumptions may include: (a) Worst Case Interruption; (b) Level of Plan Detail; (c) File Backup; (d) Off-Site Inventory; (e) Contingency Strategy; (f) Communications Network; (g) Business Impact Analysis; (h) Outsource vendor computer processing recovery. Determine if adequate documentation is contained within the plan to address all of the above assumptions. 3 Business Impact Analysis Has a Business Impact Analysis been done to determine the recovery cost/importance for all site critical systems? Assess the reasonableness of the Business Impact Analysis (BIA) and determine if it realistically reflects the Verify that the following items have been determined and used to evaluate the recovery strategy options: (a) Critical processing applications. (b) Critical time frames, i.e., the time between the point of interruption and the point at which an application system must be updated to current status. (c) Dollar losses that would result from an extended outage. (d) Other potential effects of the processing interruption. Review the Recovery Strategy and determine if the selected strategy will keep the site's projected losses below the site's materiality level.

4 Recovery Strategy

5 Redundant copy of Are copies of critical files stored at a remote location critical files and restricted from unauthorized access Are copies of operating programs stored outside the computer room? Are duplicate programs maintained at a remote location and restricted from unauthorized access? 6 Application System Assess the adequacy of the Application System SubSub-Plan Plan for a sample of critical systems in each Plan to ensure that the application production file rotation procedures support the critical file reconstruct/update process during recovery mode and the processing requirements of applications in recovery mode are adequately documented. 7 Hardware/Software Review the Hardware/Software Sub-Plan to determine Sub-Plan that the minimum requirements for recovery hardware at the recovery site is compatible with the primary processing site hardware and the hardware/software configuration is adequate to recover critical applications within the pre-defined critical time frames. In addition, determine that the successful continuance of application processing is ensured as processing activity migrates from the recovery site to the restored site. 8 Communications Review the Communications Sub-Plan to determine Sub-Plan that a communications network capable of handling the critical data requirements is provided within the time frames specified, communication actions which are necessary to support a recovery operation are adequately documented, and the necessary communication networking for a successful transition between the recovery and the restored sites is ensured. 9 Disaster Recovery Review the Disaster Recovery Organization and the Organization Disaster Recovery Team Actions to verify that the necessary Teams with Leaders and Members and each responsibility have been identified. 10 BCP Testing Determine that each Plan has been tested at least every two years. Based on the results of the most recent test, determine whether the Plans were adequately tested and appropriate follow-up is being made on significant weaknesses. Contact the Manager, Systems Audits, to determine if an observation of a test of the Plan should be performed.